Closed kevintanhongann closed 6 years ago
markstuart
commented
6 years ago The Firebase library refreshes the users token itself, every hour by default. So the session length is effectively as long as the user has your app open in their browser. If you log in, then close the tab/window, then go back to the app after an hour you should be logged out I believe.
kevintanhongann
commented
6 years ago Yep. I also wish that the scenario that you mentioned would happen, but it didn't. I had to write my own REST API to correct this.
On Tue, Mar 13, 2018, 5:41 PM Mark Stuart notifications@github.com wrote:
The Firebase library refreshes the users token itself, every hour by default. So the session length is effectively as long as the user has your app open in their browser. If you log in, then close the tab/window, then go back to the app after an hour you should be logged out I believe.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/angular/angularfire2/issues/1507#issuecomment-372604680, or mute the thread https://github.com/notifications/unsubscribe-auth/AAV8cU2XdZHS7wv1g65XXWxBNN_X2lJ9ks5td5RTgaJpZM4SmGMx .
--
Sincerely, Kevin H.A. Tan Polyglot Software Developer, Technopreneur http://about.me/kevintanhongann
+60182013739
markstuart
commented
6 years ago Hey Kevin, looking at this: https://firebase.google.com/docs/auth/web/auth-state-persistence
For a web application, the default behavior is to persist a user's session even after the user closes the browser.
From what I have read, the refresh token never expires. If your firebase session is stored in localStorage (default behaviour), the only way to prevent that refresh token from gaining you a valid auth token is to actively log the user out, which removes the key from localStorage.
If you want the user to have to log back in if they close the tab or browser, you should be able to use the .setPersistence(firebase.auth.Auth.Persistence.SESSION) as detailed in the link above.
I have not tested this, and there may be a different way to set the persistence strategy in AngularFire2.
davideast
commented
6 years ago Hey @kevintanhongann! If you're still having problems I would post an issue with the official SDK and an engineer on that team will take a look! https://github.com/firebase/firebase-js-sdk/
The scenario goes like this.
So basically I left the browser as it is after 1 hour since the default TTL of the access token is 1 hour.
After 1 hour, when you refresh the browser, the authState is supposed to kick in to check whether the currentUser is returned so that if it's not, I can log the user out, but it always returns the currentUser.